The New Rule on Customer Due Diligence Key Takeaways from Banker s Toolbox

Transcription

1 The New Rule on Customer Due Diligence Key Takeaways from Banker s Toolbox Maleka Ali, CAMS, CAMS-Audit In May of 2016, the U.S. Department of the Treasury issued final rules under the Bank Secrecy Act (BSA) to clarify and strengthen customer due diligence (CDD) requirements. The final ruling can be found here. As expected, with the new rule, financial institutions will be required to establish and maintain written procedures that incorporate the identification of beneficial owners of legal entity customers into their AML compliance program. What caught many by surprise is that the new rule also strengthens CDD requirements and unofficially incorporates CDD into a new fifth pillar for BSA/AML. Here are some key takeaways to help you prepare for the upcoming changes. Key Elements of the New CDD Rule Identifying & verifying the identity of your customers. Identifying & verifying the identity of beneficial owners with 25% or more equity interest of your legal entity customers. Understanding nature & purpose of customer relationships.* Conducting ongoing monitoring to maintain and update customer information & to identify & report suspicious transactions.* *The last two elements contain language that is verbatim from the FFIEC BSA/AML examination manual and have been an expectation of many examiners for years. Some institutions have already been collecting and including these additional elements in their monitoring programs, which sometimes puts them at an unfair competitive disadvantage with other institutions. Codifying these requirements will not only strengthen an institution s BSA/AML program, but will also even the playing field. Beneficial Ownership Certification What is it and how should we collect it? At the time a new account is opened for a legal entity, financial institutions are required to obtain a certification from the individual opening the account on behalf of the legal entity, identifying the beneficial owner(s) of the entity. FinCEN has provided a sample certification form in Appendix A of the new rule that may be used for this purpose. Certain entity types are excluded; a list of exclusions can be found in the new rule. Alternatively, you can use a different form or format (paper or electronic) to obtain the same information required in sample certification, as long as the individual still certifies the accuracy of the information to the best of their knowledge. The good news is that you may rely on the information supplied by the individual certifying the identity of the beneficial owners, provided you have no knowledge of facts that would cause you to question it.

2 Customer Due Diligence Requirements The FFIEC manual says the objective of CDD is that it should enable the bank to be able to predict with relative certainty the types of transactions in which a customer is likely to engage to assist them in determining when transactions are potentially suspicious. So the expectations of many examiners are for you to capture enough customer information and expected transactions upfront at account opening, in order to understand expectations and then run reports to look for any transactional patterns and amounts that deviate from that expected level of account activity. Frequently Asked Questions Q) When will it be in effect? A) The rule will take effect 60 days after its publication in the Federal Register (July 10th, 2016). Q) When must we be compliant? A) You have two years (until May 11th, 2018) at the very latest to update your policies, procedures and implement your new processes, but do not be surprised if your examiners ask to see your implementation plan. Q) Is the rule retroactive? A) No, you will only need to obtain this information going forward. However: If a legal entity opens a new account, another certification must be obtained even for legal entities with existing relationships. Examiners will also require a risk based approach to updates if, during normal monitoring, there appears to be changes to the beneficial ownership information. In some cases, this may require re-certification, even for existing accounts. Q) How does this apply to loan accounts? A) This rule applies to all accounts including checking, savings, certificates and loans. Q) Are we required to add beneficial owners to our core systems, or are notes sufficient? A) You are required to aggregate for CTR purposes and for suspicious activity monitoring, so at a minimum, this information must be in your CTR and AML monitoring systems. 2

3 Q) What CIP information should I collect for beneficial owners? A) You will collect the same basic customer identification program (CIP) information that you collect today name, date of birth for individuals, address, and identification number. Just like you do for signers on the account, you will be required to verify the identity of each listed beneficial owner, using risk based procedures to the extent that is reasonable and practicable, just like your CIP rules. You have the option to accept a copy of the identification for beneficial owners since often they will not be present at account opening. You are not required to retain the copies, but you do need to document what you collected for five years after the account is closed. When updating your CIP policies and procedures, you may choose to: Re-write the section of your policies to include beneficial ownership, or Create a separate sub-section of CIP for beneficial ownership. Q) The new rule refers to a two-prong approach to beneficial ownership. What does this mean? A) The new rule takes a two-prong approach (ownership and control) for the identification of beneficial owners. You will have to consider both: Ownership Prong For the ownership prong, you need to identify any natural persons with a 25% or more ownership of the legal entity. You do not need to calculate or determine this; you can rely on the certification provided by the customer. If something alerts you that they are providing untrue information, you should file a SAR. There is no obligation for the financial institution to determine beneficial ownership or analyze calculations they may rely on information provided by the individual on the certification form. There may be no beneficial owner with 25% or more. If so, there may be no beneficial owners listed for the ownership prong. There is no obligation to determine if the entity is structuring to avoid a 25% threshold. Use a trustee as the beneficial owner if a trust owns 25% or more of a legal entity. Control Prong You will also have to collect at least one individual from the control prong. This is to be a natural person within the management structure who has significant responsibility to control, manage or direct the legal entity. Q) How do we gather and obtain information to determine who has significant responsibility for managing the legal entity for the control prong? A) The preamble states: With the variety of possible complicated scenarios that a financial institution might encounter when trying to determine beneficial ownership under the ownership prong, the control prong provides for a straightforward test: the legal entity customer must provide identifying information for one person with significant managerial control. It further provides as examples a number of common, well-understood senior job titles, such as President, Chief Executive Officer, and others. Taken together, FinCEN believes that these clauses provide ample information for legal entity customers to easily identify a natural person that satisfies the definition of control person. 3

4 Q) How do we have non-governmental organizations (NGOs), charities and religious organizations such as churches complete the certification of beneficial ownership? A) NGOs, charities and religious organizations such as churches are excluded from the ownership prong, so you only need to list one person who has significant control over the entity for the control prong. Q) In our current policies and procedures we collect more than the basic CIP elements for accountholders/signers. Will we be criticized if we do not request this same extra information for beneficial owners? A) No, as long as you collect the basic required information for the beneficial owners. Be sure to be clear and detailed in your updated policies and procedures, and remember you can always make a risk based decision to request more information than is listed in your policy. Q) If the individual opening the account does not provide CIP on the beneficial owners, should we refuse to open the account? A) Yes, this is basic CDD information that will be required under the new rule and should be made clear in your updated policies and procedures. Q) Can we accept non-documentary verification for CIP information for beneficial owners like we do for our existing owners/signers? A) Yes, your CIP verification policy and processes for beneficial owners may be similar to what you currently have in place today for signers/owners. Q) Are we required to conduct OFAC checks on beneficial owners? How about 314(a) scans? A) Yes, you are required to conduct OFAC scans on the beneficial owners and take appropriate action on the legal entity if you get a hit. In terms of 314(a) scans, you should again scan the beneficial owners for a named match, but you do not need to report the underlying beneficial owners if only the legal entity is a named subject match. Q) Should I be collecting the same customer due diligence information at account opening for each new account? And what about consumer accounts? A) Regulators say that the level of sophistication of analysis for a CIP program, and the collection of customer due diligence information, may vary by bank. A detailed analysis is important because with any type of product or category of customer, there will be accountholders that pose varying levels of risk. Even though the beneficial ownership rules are specifically written for business entities, an institution may also make a risk based decision that they need to request additional information for consumer accounts as well. For example: will cash and international activity be expected? 4

5 CDD Checklist These key takeaways only scratch the surface of the changes that will impact your CDD. With the changes coming up quickly and the expectations starting now, where do you begin? To get more details on what will be expected and how to prepare, view our full-length webinar, It s Here! CDD Final Rule: Step Up Your CDD Program, on our website. Also, start by creating a checklist (see next page) or even a taskforce, to start understanding the changes that will need to be made, including costs and timelines. Include other departments such as operations, branch administration, form managers and system managers. How Can Banker s Toolbox Help? Banker s Toolbox provides software and services that help community financial institutions manage their BSA/AML and fraud-related activity. Our goal is to help you be confident and compliant during your exams. Available in the summer of 2017, Due Diligence Manager from Banker s Toolbox will be your fast-track solution to compliance with the new CDD rule. It will powerfully address the question of how to comply with beneficial ownership several months prior to the deadline. Furthermore, it gives you a comprehensive solution to manage your ongoing and initial customer due diligence, while easily adapting to your current KYC/CDD/EDD/account opening policies and procedures. To learn more about Banker s Toolbox can help you prepare for the new CDD rule, visit bankerstoolbox.com or experts@bankerstoolbox.com. 5 Last updated 5/12/17.

6 Sample Checklist Customer Due Diligence and Beneficial Ownership (This is only a sample. Actual tasks at your institution may differ.) Category Tasks Details/Comments Policies BSA Policy Due Date Completed Date Responsible Party OFAC Policy CIP/New Acct Opening Policies Procedures New Acct Opening Procedures Update CTR aggregation procedures Update OFAC scanning procedures Update suspicious activity monitoring procedures Forms Signature Card Certification Form New Account Worksheets Onboarding Processes What will you collect What will be entered at onboarding OFAC scanning Are sufficient name lines available to enter beneficial ownership info? System Changes Beneficial Ownership Information and CIP Relationship Code Updates Data feed changes for data from Host to AML systems Changes to CTR aggregations systems Changes to structuring aggregation Ability to collect additional CDD information Ability to collect expected activity Create reports of accts whose activity differs from expected Training Train branch personnel Train central operations Train BSA dept. Train any other depts. as necessary